I was using a query on one of my local SQL Servers where I wanted to know what logins were connected to my databases. I actually ended up running the query against my Azure SQL Database and had some very interesting results.

SELECT login_name ,COUNT(session_id) AS session_count
FROM sys.dm_exec_sessions
GROUP BY login_name;

Over a hundred sa connections and logins starting with DB210/XXXX. I wouldn’t say that I was worried but more so intrigued. I then ended up on an official Microsoft forum where an employee actually said that this was normal. The sa user most definitely is not us (as the user / customer). The most powerful access we have would be the server admin account or the AD admin account.

The DB210 login is very intriguing. This is always logging in under multiple program names.

SELECT * FROM sys.dm_exec_sessions
WHERE login_name LIKE 'DB%'
AND Host_name IS NOT NULL

The DMV collector and backup services (program names) is quite obvious what they are but the TdService is actually threat detection services. Regardless of whether or not you have enabled this feature this service connects to the database to confirm if the feature is enabled or not so don’t be alarmed by this login.

However, can you notice an oddity with the above? Why do I have multiple TdService program names? This is soon to be under investigation with Microsoft.

I am a Senior DBA with interest in MS technology especially SQL Server and Azure. During 2015 I was mentored by Paul Randal – Data Platform (SQL Server) MVP and during 2016 I completed my SQLskills Immersion training on Internals and Performance Tuning. When I am not working I am in the gym burning calories.